Add CT imaging section

chapter-hsms/chapter.tex

@@ -734,7 +734,20 @@ via fence layers, at the bottom of the PCB is one more layer containing the pads
 % FIXME put the CT people in the acknowledgements! Also the microwave people!
 To evaluate CT imaging as an attack method, we performed CT imaging of the potted HSM module of an Ingenico payment
 terminal. Figure~\ref{hsm_fig_ingenico_potted} shows the module we analyzed and two images exported from the resulting
-CT scan data. % FIXME
+CT scan data. Figure~\ref{hsm_fig_ingenico_potted_ct_cut} shows a horizontal cut across part of the module. In this cut,
+we can clearly identify a mesh layer with multiple traces, four solid metal contacts riveted to the mesh foil, and two
+unused contact pads and mesh traces in the lower part of the picture. An attacker would be able to use this information
+to target the metal contacts with a tool like a needle probe. From the CT scan we were able to measure that the mesh of
+the device has a pitch of \qty{1.0}{\milli\meter}. Thus, even inserting a thin needle probe right through one of the
+mesh's traces should be possible without breaking the trace.
+
+Figure~\ref{hsm_fig_ingenioc_potted_ct_3d} shows a 3D reconstruction of the mesh's conductor layout. While the
+reconstruction is slightly noisy due to the limited scan time available, it contains ample detail to reconstruct the
+mesh's layout and conductor count, and even to derive conductor dimensions in order to calculate resistance and other
+electronic parameters. The mesh's foil is wrapped around the circuit board forming a pillow shape, which is clearly
+reflected in the reconstructed 3D mesh geometry. This information could be used to guide a CNC milling machine to
+selectively ablate the device's potting precisely down to the mesh's conductors to enable direct patching attacks on the
+mesh.
 
 \section{Discussion}